It's early days, and you can be forgiven for believing that connecting private and public clouds using a VPN is a reasonable practice for building a hybrid cloud. You can be forgiven, but you won't be correct. In fact, you will have fallen into a common trap.

It all starts with great intentions: "We want a hybrid cloud!" Then reality hits. Standards are still in flux, and platform selection isn't easy. VMware is slugging it out with Microsoft's Azure Cloud OS, and both are worried about OpenStack, which is championed by Hewlett-Packard, IBM SoftLayer, Rackspace, and others. You figure, let's work this OS mess out first, then worry about securing it all.

Let me be clear: Building now and adding security later isn't a plan. You can't separate securing a hybrid cloud from how you structure your architecture. Securing a hybrid cloud requires tweaking long-standing foundational elements, such as risk assessments, while addressing entirely new capabilities such as cloudbursting, where a service that hits maximum internal capacity shuttles new demand to a public cloud.

In fact, a security review might well reveal that you have no business calling your cloud setup "hybrid," in the same way IT has no business calling a box of tapes in the stockroom a "disaster recovery strategy."

Among 383 respondents to InformationWeek's Hybrid Cloud Survey, 36% have implemented or are pilot-testing private clouds, with an additional 44% actively planning or considering. Of those with functional private clouds, 30% have working hybrid systems, with the ability to deploy workloads on either public or private clouds. Just 18% of them split their workloads fairly evenly.

No matter how you figure, for now, hybrid is an exclusive club.

The cloud changes everything

Security and architecture are the areas most affected by our embrace of all things cloud. That is because if you simply apply the best security and architectural practices from the on-premises world to the cloud world, you will have a suboptimal -- and potentially failed -- deployment. IT professionals are only gradually waking up to this realization, so it's still somewhat acceptable to lack cloud-specific plans. However, soon organizations that fail to understand the differences that the cloud brings will be pilloried in the same way that today we shake our heads at those that lose a laptop with tens of thousands of unencrypted customers' identities.

Connecting public and private clouds securely depends on some core concepts.

First, the idea of least user privilege is more relevant now than ever. All connections between public and private clouds should be limited and granular, as opposed to making more general network-to-network connections, even with a VPN.

One phrase -- "identity is the new perimeter" -- captures the essential elements. I make a detailed case in this InformationWeek cloud security and risk report, but in a nutshell, the traditional model of IT security follows the concepts of physical security fairly closely. We draw a perimeter around the physical bounds of an organization and assume that people within the wall should be granted access to all information and services by default, while those outside the perimeter should be kept out of everything.

Both of these assumptions are unworkable today. We've learned the hard way that individuals within the perimeter are very likely to cause security breaches, by downloading malware and falling for phishing schemes. And to take advantage of mobile devices and the cloud, we need to grant access to many people and services outside of the perimeter.

However, many, many organizations still cling to a perimeter-like security model -- they've just made an ever-broader perimeter (say, connecting clouds by VPN) while severely restricting what any user can do anywhere. Plenty of knowledge workers aren't allowed to install new software on any device; they must have IT do it by calling 1-800-WASTED TIME.

This is a losing plan for a number of reasons. Clearly, one problem is that it severely hurts the productivity of your employees and contractors. But second, you need to treat the public cloud with much more skepticism and concern than you should your own hardware, since many more third parties have access to the physical machines. That's clear from 2014 Strategic Security Survey results; "unauthorized access and defects in the technology itself" has led the cloud concerns hit parade in our survey for as long as we've asked the question. Building an ever-expanding perimeter will create no end of risk in a hybrid setup.

The solution, embraced by many leading security experts, is an island-centric view, where very thin back channels allow each "island" to verify identity and access parameters with a centralized server, but otherwise, networks and hardware stay completely separate. This is the "identity is the new perimeter" security model, and in a post-Target-breach world, it should be fairly clear that it offers the right way to go.

Joe began his career by winning the 1996 Weird Software Contest with the Mutant Chicken Races and creating the first Windows-based iPod application. Over the past ten years, Joe transitioned from development to systems design and data analysis, creating the first BuildFax ... View Full Bio

Well, I think that this is functionally what cloud management systems are trying to do (from RightScale to Apprenda to OpenStack to CenturyLink's VMware support)--have a higher-level management layer that controls launching VMs (when, where, how). But the same security problems remain--how are you connecting the private to the public?

My main focus in the piece was really to voice an opinion that just isn't out there enough: Hybrid Cloud is hard, and often unnecessary. And it's even harder if you live in the past paradigm of endpoint security, which is still the focus of most enterprise security budgets and the focus of most security audits.
I do agree that Amazon has done an amazing job with best-practices security at AWS, but it's just hard (both theoretically and practically) to join an existing enterprise environment to AWS and have things work as they need to...

What about Martin Casado's assertion that the hypervisor is the Goldilocks zone for security, neither too hot nor too cold. Can the hypervisor on-premises and in the cloud serve as a valuable vantage point from which to perform watchfulness and security functions?

Good discussion of the issue here. Considering how hard it is to get legacy systems to work in a hybrid cloud setting, I'm not surprised at Joe's figures. But I think he should take a closer look at the PCI-compliant parts of Amazon and other clouds. It's not just VPN access. Also, I think we're on the verge of implementing better, coordinated defenses in depth, which makes the concept of protect-the-perimeter seem a little dated. If we start to apply machine learning to security, we'll make rapid strides. A fuller definition and enforcement of disallowed behaviors in each application setting would weed out a lot of trouble makers.

Your key point here, Joe, seems to be that we should take a long hard look at if we even want to invest in private cloud before we spend a dime, not after there's already a problem. In keeping with that, I'll say that I don't see a hybrid cloud anywhere on my horizon, and I this is not really a pressing concern for me. Nevertheless, I read the whole paper, and I very much consider it time well spent. After all, current trends tend to 'bleed into' one another - for example, we see the attempt at slapping archaic security onto modern problems in other areas such as mobile.

I agree with most of your issues with hybrid cloud and common problem-solving approaches therein - you've made a very convincing argument. On the other hand, I often feel that we run the risk of preaching to the choir. I'm trying to envision somebody at a healthcare organization not doing due diligence and evaluating if his hybrid cloud strategy violates HIPAA or other regulations... this person certainly exists (and he'll probably have the exact troubles you list), but is he reading tech digests to teach him otherwise? I think that most of us here are probably in your camp already. Still, it's always nice to have a recap and see all this suvery info collected in one place. Thanks!

I'm seeing that as well. We tend to put things into buckets, group A we can put in a public cloud but group B we really need to keep in house so we'll do a private cloud. I'm still mostly private because I don't need the hardware behind a big public cloud solution. I can still easily serve all the needs of the company from inside our own infrastructure but if/when that isn't possible I don't see recommending a hybrid solution.

Not terribly surprised. When we asked our InformationWeek Elite 100 if they shifted between private and public clouds based on demand, just 15% said they do. These are the leading innovators. Most companies seem to keep their private clouds and public clouds wholly separate, doing different jobs.

I think it's largely because hybrid cloud is just hard to do properly. I think the gap between organizations who have wanted to do hybrid cloud and who have actually been successful at implementing is very wide.

"Of those with functional private clouds, 30% have working hybrid systems, with the ability to deploy workloads on either public or private clouds. Just 18% of them split their workloads fairly evenly." Anyone else surprised by how low these numbers are? I am.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."